+++ This bug was initially created as a clone of Bug #163069 +++
MFSA 2005-45 Fixed in: Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
In several places the browser UI did not correctly distinguish
between true user events, such as mouse clicks or keystrokes, and
synthetic events genenerated by web content. The problems ranged
from minor annoyances like switching tabs or entering full-screen
mode, to a variant on MFSA 2005-34
https://bugzilla.mozilla.org/show_bug.cgi?id=289940
MFSA 2005-46 Firefox 1.0.5 Thunderbird 1.0.5 Mozilla Suite 1.7.9
impact=low,source=mozilla,public=20050712
Scripts in XBL controls from web content continued to be run even
when Javascript was disabled. By itself this causes no harm, but
it could be combined with most script-based exploits to attack
people running vulnerable versions who thought disabling
javascript would protect them.
https://bugzilla.mozilla.org/show_bug.cgi?id=292591https://bugzilla.mozilla.org/show_bug.cgi?id=292589
MFSA 2005-47 Firefox 1.0.5
impact=moderate,source=mozilla,public=20050712
If an attacker can convince a victim to use the "Set As Wallpaper"
context menu item on a specially crafted image then they can run
arbitary code on the user's computer. The image "source" must be a
javascript: url containing an eval() statement and such an image
would get the "broken image" icon, but with CSS it could be made
transparent and placed on top of a real image.
http://www.mikx.de/firewalling/https://bugzilla.mozilla.org/show_bug.cgi?id=292737
MFSA 2005-48 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
The InstallTrigger.install() method for launching an install
accepts a callback function that will be called with the final
success or error status. By forcing a page navigation immediately
after calling the install method this callback function can end up
running in the context of the new page selected by the attacker.
This is true even if the user cancels the unwanted install dialog:
cancel is an error status. This callback script can steal data
from the new page such as cookies or passwords, or perform actions
on the user's behalf such as make a purchase if the user is
already logged into the target site.
https://bugzilla.mozilla.org/show_bug.cgi?id=293331
MFSA 2005-49 Firefox 1.0.5
impact=important,source=mozilla,public=20050712
Sites can use the _search target to open links in the Firefox
sidebar. A missing security check allows the sidebar to inject
data: urls containing scripts into any page open in the browser.
This could be used to steal cookies, passwords or other sensitive
data.
https://bugzilla.mozilla.org/show_bug.cgi?id=294074
MFSA 2005-50 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
When InstallVersion.compareTo() is passed an object rather than a
string it assumed the object was another InstallVersion without
verifying it. When passed a different kind of object the browser
would generally crash with an access violation.
MFSA 2005-51 Firefox 1.0.5 Mozilla Suite 1.7.9
CAN-2005-1937
impact=important,source=mozilla,public=20050606
The original frame-injection spoofing bug was fixed in the Mozilla
Suite 1.7 and Firefox 0.9 releases. This protection was
accidentally disabled by one of the fixes in the Firefox 1.0.3 and
Mozilla Suite 1.7.7 releases.
http://secunia.com/advisories/15601/https://bugzilla.mozilla.org/show_bug.cgi?id=296850
MFSA 2005-52 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
A child frame can call top.focus() even if the framing page comes
from a different origin and has overridden the focus() routine.
The call is made in the context of the child frame. The attacker
would look for a target site with a framed page that makes this
call but doesn't verify that its parent comes from the same site.
By framing this page the attacker could steal cookies and
passwords, or take actions on the site on behalf of a signed-in
user.
http://secunia.com/advisories/15549/https://bugzilla.mozilla.org/show_bug.cgi?id=296830
MFSA 2005-53 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
Several media players, for example Flash and QuickTime, support
scripted content with the ability to open URLs in the default
browser. The default behavior for Firefox and the Mozilla Suite
was to replace the currently open browser window's content with
the externally opened content. If the external URL was a
javascript: url it would run as if it came from the site that
served the previous content, which could be used to steal
sensitive information such as login cookies or passwords. If the
media player content first caused a privileged chrome: url to load
then the subsequent javascript: url could execute arbitrary code.
https://bugzilla.mozilla.org/show_bug.cgi?id=298255
MFSA 2005-54 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=low,source=mozilla,public=20050607
Alerts and prompts created by scripts in web pages are presented
with the generic title [JavaScript Application] which sometimes
makes it difficult to know which site created them. A malicious
page could attempt to cause a prompt to appear in front of a
trusted site in an attempt to extract information such as
passwords from the user.
https://secunia.com/advisories/15489/https://bugzilla.mozilla.org/show_bug.cgi?id=298934
MFSA 2005-55 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=moderate,source=mozilla,public=20050712
Parts of the browser UI relied too much on DOM node names without
taking different namespaces into account and verifying that the
node was really of the expected type. An XHTML document could be
used, for example, to create fake <IMG> elements with
content-defined properties that will be accessed as if they were
the trusted built-in properties of the expected HTML elements.
https://bugzilla.mozilla.org/show_bug.cgi?id=298892
MFSA 2005-56 Firefox 1.0.5 Mozilla Suite 1.7.9
impact=important,source=mozilla,public=20050712
Improper cloning of base objects allowed web content scripts to
get to a privileged object by walking up the prototype chain. This
could be used to execute code with enhanced privileges.
https://bugzilla.mozilla.org/show_bug.cgi?id=294795https://bugzilla.mozilla.org/show_bug.cgi?id=294799https://bugzilla.mozilla.org/show_bug.cgi?id=295011https://bugzilla.mozilla.org/show_bug.cgi?id=296397